According to the security company these represent nearly 74 per cent of Android devices in use today. It figures over 1 million Google accounts have already been compromised.

The news is also another example of why vendors and carriers have to co-operate to ensure the latest patches for Android devices are made available as soon as possible, and why users have to be disciplined into only downloading Android apps from the Google Play store. Evidence of the malware, dubbed Gooligan, has been found in dozens of legitimate-looking apps on third-party Android app stores, said Check Point. Gooligan-infected apps can also be installed using phishing scams where attackers broadcast links to infected apps to unsuspecting users via SMS or other messaging services.

“This theft of over a million Google account details is very alarming and represents the next stage of cyber-attacks,” Michael Shaulov, Check Point’s head of mobile products, said in a statement. “We are seeing a shift in the strategy of hackers, who are now targeting mobile devices in order to obtain the sensitive information that is stored on them.”

Check Point alerted Google before issuing the release. It said Google issued the following reply: “We appreciate Check Point’s partnership as we’ve worked together to understand and take action on these issues. As part of our ongoing efforts to protect users from the Ghost Push family of malware, we’ve taken numerous steps to protect our users and improve the security of the Android ecosystem overall.”

Google is contacting affected users, revoked their tokens, removed apps associated with the Ghost Push family from Google Play, and added new protections to its Verify Apps technology.

A new variant of the Android malware campaign found in the backup SnapPea app last year, Check Point says the campaign is infecting 13,000 devices a day, mainly in Asia although 19 per cent of infections are in the Americas.

Check Point has a free tool for detecting the malware. If an account has been breached, do the following:

–A clean installation of an operating system on your mobile device is required (a process called “flashing”). As this is a complex process, we recommend powering off your device and approaching a certified technician, or your mobile service provider, to request that your device be “re-flashed.” Then change the Google account passwords.

Currently a freelance writer. Former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, Howard has written for several of ITWC's sister publications, including ITBusiness.ca. Before arriving at ITWC he served as a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.